Usability challenges in security design

The security and usability session at the FIA Budapest looked at the relation between these two terms which are often perceived un-related or even contradictory at first. The session wanted to emphasize that there may be a trade-off between usability and security, and it wanted to outline this relation in detail. For that purpose, the set of five presentations and the subsequent discussion has led to the outcomes outlined as follows (for a detailed programme and presentation abstracts, see the session description).

The main message of the session is that there are many cases observed for which the relation between security and usability goes as follows: Increased security means decreased usability. An example for this is the number of (difficult to remember) passwords a user has to remember. By this annoyance in terms of usability, security may be decreased as a reaction – in this example by users writing down passwords. Accordingly, the main attack target – and attackers learned this very quickly (one solution, thus, may be to learn from fraudsters as they seem to understand users sometimes better than engineers do) – is in relation to social behaviour (social engineering). These days, such attacks go even as far as to exploit users being trained for security concerns: There are fake malware alerts which look credible, but are in fact a way to import malware to a system. Hence, the session agreed that security must be unobtrusive and not disruptive. And applications should be locked down to what they are supposed to do (and nothing more) – the problem, however, is to determine exactly what it is that an application is allowed to do.

Mobile Payment Security vs. Usability

The example of PGP (long time ago) shows that the existence of secure mechanisms alone is not sufficient. As users never found asymmetric encryption usable enough (and maybe did not understand its value), PGP never was deployed wide-scale. There are many approaches to a more ‘usable’ authentication than passwords (biometrics, Rorschach inkblot tests, knowledge-based credentials), but none of these approaches are widely accepted or deployed, nor do they work for all scenarios. The bottom line for the session organizers is that users are mindful of time and effort. Mechanisms that require excessive effort have low compliance or are circumvented. One good way to address this is the Amazon PayPhrase solution. The embedded video 'Mobile Payment Security vs. Usability' shows that industry players, in this case PayPal, care about security and usability. The PayPal example was not mentioned in the session. Nonetheless, it reflects a specific case from industry where ‘security and usability’ is perceived as an oxymoron, at least traditionally. Along the same line of arguments, an authentication system, the session organizers claim, must be easy to understand/communicate, portable, and easy to use.

The outlined trade-off between security and usability was presented to be of key interest as it leaves room to social engineering-driven attacks. This trade-off determines clearly a socio-economic issue – one that is of importance in today’s Internet as well as one that will most probably remain important in the future. It would be interesting to assess whether and how (including solution approaches) different Challenge I projects tackle security vs. usability. The session featured the example of the PICOS project (www.picos-project.eu) that works in the area of mobile communities and makes use of blurring and partial identities principles.